From 2cb6bb6a3ce41a6994e470455979e73910a89b6b Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Thu, 5 Feb 2026 20:57:58 +0100 Subject: [PATCH 1/3] Extract shell scripts into a `scripts` directory --- flake-parts/install-anywhere.nix | 62 ------------------------------ flake-parts/nebula.nix | 33 ---------------- flake-parts/scripts.nix | 13 +++++++ scripts/install-anywhere.nix | 57 +++++++++++++++++++++++++++ scripts/nebula-regen-host-cert.nix | 35 +++++++++++++++++ 5 files changed, 105 insertions(+), 95 deletions(-) delete mode 100644 flake-parts/install-anywhere.nix create mode 100644 flake-parts/scripts.nix create mode 100644 scripts/install-anywhere.nix create mode 100644 scripts/nebula-regen-host-cert.nix diff --git a/flake-parts/install-anywhere.nix b/flake-parts/install-anywhere.nix deleted file mode 100644 index c0f1570..0000000 --- a/flake-parts/install-anywhere.nix +++ /dev/null @@ -1,62 +0,0 @@ -_: { - perSystem = - { pkgs, ... }: - { - packages.install-anywhere = pkgs.writeShellApplication { - name = "install-anywhere"; - - runtimeInputs = [ - pkgs.sops - pkgs.ssh-to-age - pkgs.bitwarden-cli - ]; - - text = '' - if [[ $# -ne 2 ]]; then - echo "Usage: $0 " - exit 1 - fi - - host="$1" - destination="$2" - root="$(mktemp --directory)" - - impermanence="$(nix eval ".#nixosConfigurations.$host.config.custom.persistence.enable")" - if [ "$impermanence" = true ]; then - ssh_dir="$root/persist/etc/ssh" - else - ssh_dir="$root/etc/ssh" - fi - - echo "==> Generating new SSH host keys..." - mkdir --parents "$ssh_dir" - ssh-keygen -C "root@$host" -f "$ssh_dir/ssh_host_ed25519_key" -N "" -q - - echo "==> Replacing old age key with new age key..." - new_age_key="$(ssh-to-age -i "$ssh_dir/ssh_host_ed25519_key.pub")" - echo "$new_age_key" > "hosts/$host/keys/age.pub" - - echo "==> Updating SOPS secrets..." - if ! declare -px BW_SESSION >/dev/null 2>&1; then - BW_SESSION="$(bw unlock --raw || bw login --raw)" - export BW_SESSION - fi - if ! declare -px SOPS_AGE_KEY >/dev/null 2>&1; then - SOPS_AGE_KEY="$(bw get notes 'admin age-key')" - export SOPS_AGE_KEY - fi - SOPS_CONFIG="$(nix build .#sops-config --print-out-paths)" - export SOPS_CONFIG - sops updatekeys --yes "hosts/$host/secrets.json" - - echo "==> Installing system..." - nix run github:nix-community/nixos-anywhere -- \ - --extra-files "$root" \ - --flake ".#$host" \ - --target-host "$destination" - - rm -rf "$root" - ''; - }; - }; -} diff --git a/flake-parts/nebula.nix b/flake-parts/nebula.nix index 813c8cb..b1b9791 100644 --- a/flake-parts/nebula.nix +++ b/flake-parts/nebula.nix @@ -16,38 +16,5 @@ _: { fi ''; }; - - packages.nebula-regen-host-cert = pkgs.writeShellApplication { - name = "nebula-regen-host-cert"; - runtimeInputs = [ - pkgs.nebula - pkgs.bitwarden-cli - ]; - text = '' - if [[ $# -ne 1 ]]; then - echo "Usage: $0 " - exit 1 - fi - - host="$1" - address="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.networking.overlay.cidr")" - ca_cert='modules/system/services/nebula/ca.crt' - host_pub="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.publicKeyPath")" - host_cert="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.certificatePath")" - host_cert="''${host_cert#*-source/}" - - if ! declare -px BW_SESSION >/dev/null 2>&1; then - BW_SESSION="$(bw unlock --raw || bw login --raw)" - fi - - ca_key="$(mktemp)" - chmod 600 "$ca_key" - trap 'rm -f "$ca_key"' EXIT - bw get notes 'nebula ca-key' > "$ca_key" - - rm -f "$host_cert" - nebula-cert sign -name "$host" -networks "$address" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert" - ''; - }; }; } diff --git a/flake-parts/scripts.nix b/flake-parts/scripts.nix new file mode 100644 index 0000000..62fecf0 --- /dev/null +++ b/flake-parts/scripts.nix @@ -0,0 +1,13 @@ +{ self, ... }: +{ + perSystem = + { pkgs, lib, ... }: + { + packages = + "${self}/scripts" + |> builtins.readDir + |> lib.attrNames + |> lib.map (name: name |> lib.removeSuffix ".nix") + |> self.lib.genAttrs (name: import "${self}/scripts/${name}.nix" { inherit pkgs; }); + }; +} diff --git a/scripts/install-anywhere.nix b/scripts/install-anywhere.nix new file mode 100644 index 0000000..10be289 --- /dev/null +++ b/scripts/install-anywhere.nix @@ -0,0 +1,57 @@ +{ pkgs }: +pkgs.writeShellApplication { + name = "install-anywhere"; + + runtimeInputs = [ + pkgs.sops + pkgs.ssh-to-age + pkgs.bitwarden-cli + ]; + + text = '' + if [[ $# -ne 2 ]]; then + echo "Usage: $0 " + exit 1 + fi + + host="$1" + destination="$2" + root="$(mktemp --directory)" + + impermanence="$(nix eval ".#nixosConfigurations.$host.config.custom.persistence.enable")" + if [ "$impermanence" = true ]; then + ssh_dir="$root/persist/etc/ssh" + else + ssh_dir="$root/etc/ssh" + fi + + echo "==> Generating new SSH host keys..." + mkdir --parents "$ssh_dir" + ssh-keygen -C "root@$host" -f "$ssh_dir/ssh_host_ed25519_key" -N "" -q + + echo "==> Replacing old age key with new age key..." + new_age_key="$(ssh-to-age -i "$ssh_dir/ssh_host_ed25519_key.pub")" + echo "$new_age_key" > "hosts/$host/keys/age.pub" + + echo "==> Updating SOPS secrets..." + if ! declare -px BW_SESSION >/dev/null 2>&1; then + BW_SESSION="$(bw unlock --raw || bw login --raw)" + export BW_SESSION + fi + if ! declare -px SOPS_AGE_KEY >/dev/null 2>&1; then + SOPS_AGE_KEY="$(bw get notes 'admin age-key')" + export SOPS_AGE_KEY + fi + SOPS_CONFIG="$(nix build .#sops-config --print-out-paths)" + export SOPS_CONFIG + sops updatekeys --yes "hosts/$host/secrets.json" + + echo "==> Installing system..." + nix run github:nix-community/nixos-anywhere -- \ + --extra-files "$root" \ + --flake ".#$host" \ + --target-host "$destination" + + rm -rf "$root" + ''; +} diff --git a/scripts/nebula-regen-host-cert.nix b/scripts/nebula-regen-host-cert.nix new file mode 100644 index 0000000..a7ef614 --- /dev/null +++ b/scripts/nebula-regen-host-cert.nix @@ -0,0 +1,35 @@ +{ pkgs }: +pkgs.writeShellApplication { + name = "nebula-regen-host-cert"; + + runtimeInputs = [ + pkgs.nebula + pkgs.bitwarden-cli + ]; + + text = '' + if [[ $# -ne 1 ]]; then + echo "Usage: $0 " + exit 1 + fi + + host="$1" + address="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.networking.overlay.cidr")" + ca_cert='modules/system/services/nebula/ca.crt' + host_pub="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.publicKeyPath")" + host_cert="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.certificatePath")" + host_cert="''${host_cert#*-source/}" + + if ! declare -px BW_SESSION >/dev/null 2>&1; then + BW_SESSION="$(bw unlock --raw || bw login --raw)" + fi + + ca_key="$(mktemp)" + chmod 600 "$ca_key" + trap 'rm -f "$ca_key"' EXIT + bw get notes 'nebula ca-key' > "$ca_key" + + rm -f "$host_cert" + nebula-cert sign -name "$host" -networks "$address" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert" + ''; +} From f00f85074b076f1f75688cfea755817e4f4f64fe Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Thu, 5 Feb 2026 21:02:47 +0100 Subject: [PATCH 2/3] Concentrate all dev shells in one file --- flake-parts/dev-shells.nix | 44 +++++++++++++++++++++++ flake-parts/nebula.nix | 20 ----------- flake-parts/{sops.nix => sops-config.nix} | 29 +-------------- 3 files changed, 45 insertions(+), 48 deletions(-) create mode 100644 flake-parts/dev-shells.nix delete mode 100644 flake-parts/nebula.nix rename flake-parts/{sops.nix => sops-config.nix} (64%) diff --git a/flake-parts/dev-shells.nix b/flake-parts/dev-shells.nix new file mode 100644 index 0000000..6d8ac6a --- /dev/null +++ b/flake-parts/dev-shells.nix @@ -0,0 +1,44 @@ +_: { + perSystem = + { self', pkgs, ... }: + { + devShells = { + sops = pkgs.mkShellNoCC { + packages = [ + pkgs.sops + pkgs.age + pkgs.ssh-to-age + pkgs.bitwarden-cli + ]; + + shellHook = '' + if ! declare -px BW_SESSION >/dev/null 2>&1; then + BW_SESSION="$(bw unlock --raw || bw login --raw)" + export BW_SESSION + fi + if ! declare -px SOPS_AGE_KEY >/dev/null 2>&1; then + SOPS_AGE_KEY="$(bw get notes 'admin age-key')" + export SOPS_AGE_KEY + fi + SOPS_CONFIG="${self'.packages.sops-config}" + export SOPS_CONFIG + ''; + }; + + nebula = pkgs.mkShellNoCC { + packages = [ + pkgs.nebula + pkgs.bitwarden-cli + self'.packages.nebula-regen-host-cert + ]; + + shellHook = '' + if ! declare -px BW_SESSION >/dev/null 2>&1; then + BW_SESSION="$(bw unlock --raw || bw login --raw)" + export BW_SESSION + fi + ''; + }; + }; + }; +} diff --git a/flake-parts/nebula.nix b/flake-parts/nebula.nix deleted file mode 100644 index b1b9791..0000000 --- a/flake-parts/nebula.nix +++ /dev/null @@ -1,20 +0,0 @@ -_: { - perSystem = - { self', pkgs, ... }: - { - devShells.nebula = pkgs.mkShellNoCC { - packages = [ - pkgs.nebula - pkgs.bitwarden-cli - self'.packages.nebula-regen-host-cert - ]; - - shellHook = '' - if ! declare -px BW_SESSION >/dev/null 2>&1; then - BW_SESSION="$(bw unlock --raw || bw login --raw)" - export BW_SESSION - fi - ''; - }; - }; -} diff --git a/flake-parts/sops.nix b/flake-parts/sops-config.nix similarity index 64% rename from flake-parts/sops.nix rename to flake-parts/sops-config.nix index 2022158..1d9f167 100644 --- a/flake-parts/sops.nix +++ b/flake-parts/sops-config.nix @@ -1,12 +1,7 @@ { self, ... }: { perSystem = - { - self', - pkgs, - lib, - ... - }: + { pkgs, lib, ... }: { packages.sops-config = let @@ -42,27 +37,5 @@ pkgs.runCommand "sops.yaml" { buildInputs = [ pkgs.yj ]; } '' echo '${jsonConfig}' | yj -jy > $out ''; - - devShells.sops = pkgs.mkShellNoCC { - packages = [ - pkgs.sops - pkgs.age - pkgs.ssh-to-age - ]; - - nativeBuildInputs = [ pkgs.bitwarden-cli ]; - shellHook = '' - if ! declare -px BW_SESSION >/dev/null 2>&1; then - BW_SESSION="$(bw unlock --raw || bw login --raw)" - export BW_SESSION - fi - if ! declare -px SOPS_AGE_KEY >/dev/null 2>&1; then - SOPS_AGE_KEY="$(bw get notes 'admin age-key')" - export SOPS_AGE_KEY - fi - SOPS_CONFIG="${self'.packages.sops-config}" - export SOPS_CONFIG - ''; - }; }; } From a96b31d4e1802ac33d69842165164983ff509cc3 Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Thu, 5 Feb 2026 21:10:17 +0100 Subject: [PATCH 3/3] scripts: Fix BW_SESSION export --- scripts/nebula-regen-host-cert.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/nebula-regen-host-cert.nix b/scripts/nebula-regen-host-cert.nix index a7ef614..1d6e75d 100644 --- a/scripts/nebula-regen-host-cert.nix +++ b/scripts/nebula-regen-host-cert.nix @@ -22,6 +22,7 @@ pkgs.writeShellApplication { if ! declare -px BW_SESSION >/dev/null 2>&1; then BW_SESSION="$(bw unlock --raw || bw login --raw)" + export BW_SESSION fi ca_key="$(mktemp)"